Analysis Overview
SHA256
620d13c4a73f2fef68c67391ab2cfa00dbe4443a673352df13cb265c2f00d5e1
Threat Level: Shows suspicious behavior
The file 2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 08:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 08:37
Reported
2024-06-03 08:40
Platform
win7-20240508-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2428 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2428 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 2428 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Temp\JngAhQQLVWkffW7.exe
| MD5 | 855f411fb454a585b04aadd1cdb5bdef |
| SHA1 | 867a24728a654eaffd3c8faf4ebb1f8e1db62b7f |
| SHA256 | 5edf2c5889fe3c968d6e1541221b34334495419b898677ab712ce2ee19184d2a |
| SHA512 | 28a0289d3e2f0921a43b14447098f30ddbb6d5f255e25ae71fcd5438adeb219021a627ec4e2d70a853baab22b2781ba9bfca941a2833f8c008a5e490cbd874fd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 08:37
Reported
2024-06-03 08:40
Platform
win10v2004-20240426-en
Max time kernel
94s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\CTS.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" | C:\Windows\CTS.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\CTS.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | N/A |
| File created | C:\Windows\CTS.exe | C:\Windows\CTS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\CTS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1400 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | C:\Windows\CTS.exe |
| PID 1400 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe | C:\Windows\CTS.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f262fcd17104f903e343fe739502f0d6_bkransomware.exe"
C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Windows\CTS.exe
| MD5 | f9d4ab0a726adc9b5e4b7d7b724912f1 |
| SHA1 | 3d42ca2098475924f70ee4a831c4f003b4682328 |
| SHA256 | b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc |
| SHA512 | 22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 870724f2d942b3676711b5bd44aeca60 |
| SHA1 | d9e6559ef4dd088a376da7cca69c604643e53308 |
| SHA256 | acb3ae71473c1cf5a54701dbc4eb8ea9ed8851a9321523689ab40936f64eef3d |
| SHA512 | 2fe0442f9a57a6116a7768614ab0b6984dfe667fbf36c900598176c1036862e83688fd43a82a9ae2d7f9f19599e31620d5cdf00845781740938cb587439a8114 |
C:\Users\Admin\AppData\Local\Temp\1rhFcMJBx9d0lGP.exe
| MD5 | 6517c0b003e7bffc76f5588efb9db530 |
| SHA1 | 3a3114c52ff675cd0b92fc86f58775aeb0e08880 |
| SHA256 | f1f5aec3383abd1e388e556d73ad5fc801b829cf7412d262fdf2664960760370 |
| SHA512 | e1c3977a3e628a9ab2f51637c082eda629342c02d36ab40481ed95ba7aef9ac729ce248cc18c9b1fe5de49170771a4fbfffd3aa40f4790293114300a4e79f527 |